Share this post

I’ve worked in some interesting environments. By “interesting” I mean
everyone had the keys to the kingdom. Every IT person on staff had
domain admin privileges. Yeah. Let that sink in. Of course I’m not
alone in my experience at that environment - I’ve heard numerous
other stories like this. Remediation is always “planned” but since
the policies have been in place for so long, there are a lot of steps
that need to be taken to make sure that the necessary access isn’t
lost.

In my role as an EM+S consultant I frequently find myself needing
Azure Global Administrator rights to get things setup for my clients.
Clients are usually hesitant to give the access - and rightfully so.
However, what if there was a way to grant me the rights I needed in
Azure on a time limited basis that was also monitored?

EM+S E5 licenses have access to a pretty sweet feature called
“Privileged Identity Management” or PIM. If your life without PIM is
like giving keys to users to unlock specific doors (which you then
have to recover when a user should no longer have access to that
door); imagine PIM like smart card access to secured spaces. You
can’t really easily audit access to a room if a user has a key, and
they will always have the access as long as they have the key.
However, a smart card system would allow you to monitor access to
the secured space, give temporary access to the secured space, and
maybe even have a system in place to easily approve/deny access to
secured spaces.

If you’re as tired of the “old” way as I am, read on - I’m going to
introduce you to the wonderful world of PIM.

NOTE: PIM also supports Azure Resources (like VMs) but we won’t be
covering that in this post - we’ll save that for a future post.

Getting Started

First thing we need to do is consent to using PIM. You will need to
logon as a Azure Global Administrator to do this. Note that the user
who consents to PIM automatically becomes a “Security administrator”
and a “Privileged role administrator” in Azure (these are new roles
created by the PIM feature). In the portal you need to find the
“Azure AD Privileged Identity Management” blade to add. Click on “All
Services”, search for “privileged”, and press the star next to
“Azure AD Privileged Identity Management”

Now we can open the PIM blade. The first thing we need to do from here
is consent to PIM. Press “Consent to PIM” and then press the “Consent”
button. You will be prompted whether or not you’d like to proceed as
an additional level of verification.

Once you have consented, it is wise and recommended to add additional
members to the “Security administrator” and “Privileged role administrator”
roles in Azure AD. You don’t want to lock yourself out of the console
if you delete the last user.

NOTE: Managing PIM requires MFA (as do a handful of the PIM roles),
so you will want to make sure you are selecting an account that is
or can be setup for MFA.

Since you should be experts at adding users to roles in Azure AD
already, I’m not going to walk you through this process but I’ll
give you a hint where it’s located:

After you get your roles setup for redundancy, we need to activate PIM
for Azure AD directory roles. Back in the PIM blade, under “Manage”
select the “Azure AD directory roles” button.

Click the “Sign up” button at the top after the status check is completed.

Azure will do a few checks in your environment - looking for privileged
roles and their current assignments.

After your roles are discovered, either refresh the page or open up “Azure
AD directory roles” again.

Configuring Roles in PIM

Now we have some new options under manage. First thing we need to do is
configure some settings around roles and alerts. Press the “Settings”
link.

Then press the “Roles” link.

Since this is a demo, why don’t we look at the most important role
in our environment - Global Administrator. Find it in the list and
select it. You’ll be presented with a list of options configurable
for this role.

Maximum activation duration (hours): determines the maximum amount
of time a user can have their elevated access before they have to
send another request.

Require incident/request ticket number during activation: if you’re
using a ticketing system and want to keep track of these requests using
those numbers, you can enable that in this field.

Require MFA for activation: if you want users to validate who they
are when requesting access, this is where you do it. It’s also forced
on a number of different rules (Global Administrator being one of them
as you can see).

Select Approvers: select the users who can approve requests for this
level of access.

In our case, we’re going to give Cmdr. Mike Metcalf and Lt. Cmdr. Rick
Heatherly access to approve requests to be Global Administrators. Notice
that Rick doesn’t have to be a Global Administrator to approve GA requests.
Pretty neat.

Another thing to note - is that if Rick was an approver for this
category and was also eligible for the role - he cannot approve his
own requests. Also pretty neat.

Making Users Eligible

Now let’s make someone eligible for the Global Administrator role!
Back at the “Azure AD directory roles” page, press the “Roles”
button and then at the top of that menu press “Add Member”.

Choose “Select a role” and then select the “Global Administrator”
role.

Next we’re going to assign a user as “Eligible” to become Global
Administrators. For this example we’ll add Lt. Cmdr. Rick Heatherly.
Choose the “Select members” option, locate him, and select him.

Now press the “Members” link and you should see Rick added as Eligible
for Global Administrator.

Demoing the Approval Workflow Process

Open up a new private window and logon to the Azure portal with
the credentials for the account we gave “Eligible” access to. If
your AAD users are configured like mine, you should see that user’s
role is just “User”

Now we should open up the “Azure AD Privileged Identity Management”
blade and click on the “My roles” link. You should see the “Global
Administrator” role option available. Press “Activate” to activate
the role.

You’ll be taken to another page for activation - you may also be
required to authenticate via MFA. Press the “Activate” button and
you will be asked for some additional information.

For this demo I’m going to ask for an hour, and give a reason for
my request.

Once I “activate” my role I’ll see a new alert in the portal.

Eventually it will tell me that my request is pending approval.

If we go over to the “My requests” task you can see the status of
your current request.

Going back to our original window (or opening Azure AD directory
roles from a user who is an approver for Global Administrators)
select the “Approve requests” page. Find the request from Rick
and then approve it.

You will need to provide an “approve reason” and then you can
approve the request.

Now we can go back to Rick’s session and see that his approval
has been completed if you open up the “My requests” blade.

Next to force Azure AD to refresh his rights, open up “Application
access” and then select “Go to the Azure AD administration portal”.
This will force the application to refresh.

Now if we go back to the Azure AD dashboard, guess what?! Rick is now
a Global Administrator… for an hour.

Now Rick can perform a bunch of our necessary tasks. If Rick finishes
up early, he can go back to his “Azure AD directory roles” in the PIM
blade, and deactivate his access.

Pressing on the “Deactivate” button takes him to a familiar blade from
earlier. Now Rick can deactivate his access.

Final Thoughts

We covered a lot in this post, and there is still more to look into.
In a future post we’ll take a look at the auditing available to you,
as well as configuring the alerting. In the meantime - poke around
your Azure AD environment some more. As Ms. Frizzle always said…

“Take chances, make mistakes, get messy, then get wasted”

Didn’t know Ms. Frizzle was a raging alcoholic did you? Well now you
do.